The following KDCs were unreachable:


#1

Last Saturday I run an update to install the latest updates,
After the update I can’t connect to my shared locations,
When i run the system diagnostic, I receive a lot off error message:

The following KDCs were unreachable: tcp myserver01.mydomain.nl:88, udp myserver01.mydomain.nl:88

and
This is a Samba 4 DC, but samba-tool processes reports no kdc_server.

Samba4 isn’t started, I was able to start samba with /etc/init.d/samba restart
But that didn’t solve the issue.
while the I still see this error:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 275, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 149, in run
    drs = DRSUAPI()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 62, in __init__
    drs_tuple = drs_utils.drsuapi_connect(self.server, self.load_param, self.credentials)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 63, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
drsException: drsException: DRS connection to myserver01.mydomain.nl failed: (3221226038, 'The transport-connection attempt was refused by the remote system.')"

Hopefully one off you can tell me how I can resolve this issue.
Thanks!


#2

Hello,

This means UCS 4.4-0 Errata 33?

Best regards,
Michael Grandjean


#3

Yes, that’s right.
On that moment that Samba didn’t start I found a post, that this happens in the past as well, and thy wrote, you

you can start Samba /etc/init.d/samba start

Yesterday I found that the KDC server isn’t available, so I was already satisfied that I see the Errata 41, but this didn’t solve the issue.

Do you know how I can solve this??


#4

When I run samba-tool drs showrepl, I receive the following

Failed to connect host 192.168.10.50 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.10.50 (myserver01.mydomain.nl) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to myserver01.mydomain.nl failed - drsException: DRS connection to myserver01.mydomain.nl failed: (3221226038, 'The transport-connection attempt was refused by the remote system.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 54, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 63, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
root@myserver01:~#

And when I run: /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

gc._msdcs.mydomain.nl has address 192.168.10.50
_gc._tcp.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_ldap._tcp.gc._msdcs.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_ldap._tcp.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.dc._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.pdc._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.3680fc08-2c5c-486f-9270-98f0857fbe4c.domains._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_kerberos._tcp.dc._msdcs.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kerberos._tcp.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kerberos._udp.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kpasswd._tcp.mydomain.nl has SRV record 0 100 464 myserver01.mydomain.nl.
_kpasswd._udp.mydomain.nl has SRV record 0 100 464 myserver01.mydomain.nl.
Located DC 'myserver01' in site 'Default-First-Site-Name'
79b2ba6b-4714-4e1a-ad44-817621bba88d._msdcs.mydomain.nl is an alias for myserver01.mydomain.nl.
## Records for site Default-First-Site-Name:
_ldap._tcp.Default-First-Site-Name._sites.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_kerberos._tcp.Default-First-Site-Name._sites.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
## Optional GC Records for site Default-First-Site-Name:
_gc._tcp.Default-First-Site-Name._sites.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_kerberos.mydomain.nl descriptive text "mydomain.NL"
root@myserver01:~#

Hopefully, someone, can tell me how I can solve this issue!


#5

Hi,

sure samba is started? What says
ps ax| grep smbd
?
Additonally the output of these commands, please:
ucr dump| grep -iE "samba/inter|faces/prim"

/CV


#6
21995 pts/1    S+     0:00 grep smbd

and from:
ucr dump| grep -iE “samba/inter|faces/prim”

interfaces/primary: eth0

#7

And the output of etc/init.d/samba status

root@myserver01:~# /etc/init.d/samba status
● samba-ad-dc.service - LSB: Samba daemons for the AD DC
   Loaded: loaded (/etc/init.d/samba-ad-dc; generated; vendor preset: enabled)
   Active: active (exited) since Mon 2019-04-08 18:42:21 CEST; 17h ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/samba-ad-dc.service

Apr 08 18:42:20 myserver01 systemd[1]: Starting LSB: Samba daemons for the AD DC...
Apr 08 18:42:21 myserver01 samba-ad-dc[24329]: Starting Samba AD DC daemon: samba.
Apr 08 18:42:21 myserver01 systemd[1]: Started LSB: Samba daemons for the AD DC.
root@myserver01:~#

#8

Hi,

somehow it looks like your Samba is not installed at all. At least it is not running and I miss the UCR-variables related to Samba.

Output of:
dpkg -l| grep -iE "samba|server-master"
?

/CV


#9
root@myserver01:~# dpkg -l| grep -iE "samba|server-master"
ii  kopano-webapp-plugin-filesbackend-smb               2.1.0.50+30.1                                    all          Adds Samba specific functionality to Kopano Files plugin.
ii  libwbclient0:amd64                                  2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba winbind client library
ii  php-libsmbclient                                    0.5.0-30.4                                       amd64        libsmbclient-php is a PHP extension that uses Samba's libsmbclient
ii  python-samba                                        2:4.10.1-1A~4.4.0.201904031509                   amd64        Python bindings for Samba
ii  samba                                               2:4.10.1-1A~4.4.0.201904031509                   amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                                        2:4.10.1-1A~4.4.0.201904031509                   all          common files used by both the Samba server and client
ii  samba-common-bin                                    2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules                                  2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba Directory Services Database
ii  samba-libs:amd64                                    2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba core libraries
ii  samba-vfs-modules                                   2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba Virtual FileSystem plugins
ii  univention-nagios-samba                             4.0.1-1A~4.4.0.201812201739                      amd64        nagios plugin for UCS samba
ii  univention-newsid                                   9.0.0-1A~4.3.0.201712120245                      amd64        UCS - generate a new samba sid
ii  univention-s4-connector                             13.0.2-4A~4.4.0.201903141417                     all          UCS - Modules for sync UCS and Samba4 LDB directory
ii  univention-samba-local-config                       13.0.0-2A~4.4.0.201903141254                     all          UCS - UCR Extensions for configuration of local shares
ii  univention-samba4                                   8.0.0-17A~4.4.0.201903251927                     amd64        UCS - Samba4 integration package
ii  univention-samba4-sysvol-sync                       8.0.0-17A~4.4.0.201903251927                     all          UCS - Samba4 sysvol synchronization
ii  univention-server-master                            14.0.0-2A~4.4.0.201901062148                     all          UCS - master domain controller
root@myserver01:~#

#10

Hi,

looks good so far. Just wondering why the UCR variables are not set.
ucr dump| grep -iE "^samba/|^samba4/"
?

/CV


#11

Hi, thanks for your support,
When I try sto start the SAMB4 service I receive the following error message

Could not fulfill the request.

Server error message:

Starting the service samba4 failed:
Unit samba4.service could not be found.

when I run /etc/init.d/samba status, it show that it’s running

● samba-ad-dc.service - LSB: Samba daemons for the AD DC
   Loaded: loaded (/etc/init.d/samba-ad-dc; generated; vendor preset: enabled)
   Active: active (exited) since Mon 2019-04-08 18:42:21 CEST; 17h ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/samba-ad-dc.service

Apr 08 18:42:20 myserver01 systemd[1]: Starting LSB: Samba daemons for the AD DC...
Apr 08 18:42:21 myserver01 samba-ad-dc[24329]: Starting Samba AD DC daemon: samba.
Apr 08 18:42:21 myserver01 systemd[1]: Started LSB: Samba daemons for the AD DC.
root@myserver01:~#

#12

Then I receive this:

root@myserver01:~# ucr dump| grep -iE "^samba/|^samba4/"
samba/acl/allow/execute/always: yes
samba/adminusers: administrator join-backup
samba/autostart: no
samba/deadtime: 15
samba/debug/level: 1
samba/domain/master: yes
samba/enable-msdfs: yes
samba/encrypt_passwords: yes
samba/getwd_cache: yes
samba/guest_account: nobody
samba/homedirletter: I
samba/homedirpath: %U
samba/homedirserver: myserver01
samba/kernel_oplocks: yes
samba/large_readwrite: yes
samba/map_to_guest: Bad User
samba/max_open_files: 32808
samba/max_xmit: 65535
samba/oplocks: yes
samba/preserve_case: yes
samba/profilepath: %U\windows-profiles\%a
samba/profileserver: myserver01
samba/quota/command: None
samba/read_raw: yes
samba/register/exclude/interfaces: docker0
samba/share/groups: no
samba/share/home: yes
samba/share/netlogon: yes
samba/short_preserve_case: yes
samba/store_dos_attributes: yes
samba/use_spnego: yes
samba/write_raw: yes
samba4/autostart: yes
samba4/backup/cron: 0 3 * * *
samba4/function/level: 2008_R2
samba4/ldap/base: DC=mydomain,DC=NL
samba4/ntacl/backend: native
samba4/role: DC
samba4/service/nmb: nmbd
samba4/service/smb: s3fs
samba4/sysvol/cleanup/cron: 4 4 * * *
samba4/sysvol/sync/cron: */5 * * * *
samba4/sysvol/sync/jitter: 60
samba4/sysvol/sync/setfacl/AU: false
root@myserver01:~#

#13

Hi,

Strange. Packages are all installed as far as I can see. But UCR variables are not set at all. Missing all “samba4/” variables as well as the samba/interfaces ones…

Sorry, currently I am not having a clue what went wrong here.

/CV


#14

This is really strange, while till last Saturday everything works fine!
Is there an option, to restore, or rebuild this?


#15

Is this right?
While I search in the GUI Univention Configuration Registry samba4 I receive the following

|appcenter/apps/samba4/status|installed|
|---|---|
|appcenter/apps/samba4/ucs|4.4|
|appcenter/apps/samba4/version|4.10|
|connector/s4/mapping/dns/position||
|dns/backend|samba4|
|kerberos/autostart|no|
|samba4/addmachine||
|samba4/autostart|yes|
|samba4/backup/cron|0 3 * * *|
|samba4/backup/cron/options||
|samba4/dc||
|samba4/dcerpc/endpoint/drsuapi||
|samba4/disabled||
|samba4/function/level|2008_R2|
|samba4/join/dnsupdate||
|samba4/join/site||
|samba4/kccsrv/samba_kcc||
|samba4/ldap/base|DC=mydomain,DC=NL|
|samba4/ldb/sam/module/*||
|samba4/ntacl/backend|native|
|samba4/provision/primary||
|samba4/provision/secondary||
|samba4/role|DC|
|samba4/schema/update/allowed||
|samba4/service/drepl||
|samba4/service/nmb|nmbd|
|samba4/service/smb|s3fs|
|samba4/sysvol/cleanup/cron|4 4 * * *|
|samba4/sysvol/cleanup/parameters||
|samba4/sysvol/sync/cron|*/5 * * * *|
|samba4/sysvol/sync/debug||
|samba4/sysvol/sync/fix_gpt_ini||
|samba4/sysvol/sync/from_downstream||
|samba4/sysvol/sync/from_upstream||
|samba4/sysvol/sync/from_upstream/delete||
|samba4/sysvol/sync/jitter|60|
|samba4/sysvol/sync/setfacl/AU|false|
|security/packetfilter/package/univention-samba4/tcp/53/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/53/all/en|DNS|
|security/packetfilter/package/univention-samba4/tcp/88/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/88/all/en|Kerberos|
|security/packetfilter/package/univention-samba4/tcp/135/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/135/all/en|RPC (Samba)|
|security/packetfilter/package/univention-samba4/tcp/137:139/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/137:139/all/en|netbios (Samba)|
|security/packetfilter/package/univention-samba4/tcp/389/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/389/all/en|LDAP|
|security/packetfilter/package/univention-samba4/tcp/445/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/445/all/en|microsoft-ds (Samba)|
|security/packetfilter/package/univention-samba4/tcp/464/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/464/all/en|Kerberos change/set password|
|security/packetfilter/package/univention-samba4/tcp/636/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/636/all/en|LDAPS|
|security/packetfilter/package/univention-samba4/tcp/749/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/749/all/en|Kerberos admin|
|security/packetfilter/package/univention-samba4/tcp/1024/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/1024/all/en|KDM (Samba)|
|security/packetfilter/package/univention-samba4/tcp/3268/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/3268/all/en|LDAP GC (Samba)|
|security/packetfilter/package/univention-samba4/tcp/3269/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/3269/all/en|LDAP GC SSL (Samba)|
|security/packetfilter/package/univention-samba4/tcp/49152:65535/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en|Dynamic RPC Ports (Samba)|
|security/packetfilter/package/univention-samba4/udp/53/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/53/all/en|DNS|
|security/packetfilter/package/univention-samba4/udp/88/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/88/all/en|Kerberos|
|security/packetfilter/package/univention-samba4/udp/123/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/123/all/en|TIME|
|security/packetfilter/package/univention-samba4/udp/137:139/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/137:139/all/en|netbios (Samba)|
|security/packetfilter/package/univention-samba4/udp/389/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/389/all/en|LDAP|
|security/packetfilter/package/univention-samba4/udp/445/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/445/all/en|microsoft-ds (Samba)|
|security/packetfilter/package/univention-samba4/udp/464/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/464/all/en|Kerberos change/set password|

#16

Is it an option to restore only the Samba4 settings?
When I review in next-cloud on the same server the LDAP/AD settings, all off them are green.


#17

You might want to have a look at /var/univention-backup/ucr-backup_* from before the update and compare it to a version from last night.


#18

That’s strange, there’s a daily backup off this file till I upgrade the server last Saturday. so the latest backup is from April 6


#19

I found the issue. when I compare the base.conf settings with the backup.
Last week the we add a second port on the: slapd/port/ldaps: 7636,636 settings
While the command by this settings are:

Unfortunately, this was only visible after the upgrade and the reboot.
Thanks for all your support!


#20

Oh, okay. Than Samba AD DC und OpenLDAP will fight over port 636 :slight_smile:
This might explain some things: https://www.univention.com/blog-en/2015/10/synchronisation-between-ucs-and-microsoft-windows-with-samba-active-directory/